Database Reference
In-Depth Information
[oracle@orlin ~]$ md5sum /home/oracle/app/oracle/product/12.1.0/dbhome_1/bin/oracle
83adb69ca4fcb8a787663e8f805c8dd8 /home/oracle/app/oracle/product/12.1.0/dbhome_1/bin/oracle
[oracle@orlin ~]$ /home/oracle/app/oracle/product/12.1.0/dbhome_1/bin/chopt disable lbac
Writing to /home/oracle/app/oracle/product/12.1.0/dbhome_1/install/disable_lbac.log...
/usr/bin/make -f /home/oracle/app/oracle/product/12.1.0/dbhome_1/rdbms/lib/ins_rdbms.mk lbac_off
ORACLE_HOME =/home/oracle/app/oracle/product/12.1.0/dbhome_1
/usr/bin/make -f /home/oracle/app/oracle/product/12.1.0/dbhome_1/rdbms/lib/ins_rdbms.mk ioracle
ORACLE_HOME= /home/oracle/app/oracle/product/12.1.0/dbhome_1
[oracle@orlin ~]$ md5sum /home/oracle/app/oracle/product/12.1.0/dbhome_1/bin/oracle
83adb69ca4fcb8a787663e8f805c8dd8 /home/oracle/app/oracle/product/12.1.0/dbhome_1/bin/oracle
As you can see above, the checksum has not changed despite the removal of binary options. This is good for our
rootkit detection, as stability enables alerting to unauthorized modification. What follows is the integrity checker for
DB objects, which also verifies the integrity of
dbms_utility
and the Oracle binary itself. This is starting to become a
reasonably good check.
--State checker to be run before and after break-glass sessions
#!/bin/bash
ORACLE_SID=orcl
export ORACLE_SID
ORACLE_HOME=/u01/app/oracle/product/12.1.0/dbhome_1
export ORACLE_HOME
PATH=$ORACLE_HOME/bin:$PATH
export PATH
# logon to oracle as sys
$ORACLE_HOME/bin/sqlplus -s / as sysdba<<EOF
-- prepare the date variable for filename
column tm new_value file_time noprint
select to_char(sysdate, 'YYYYMMDDHHMISS') tm from dual;
prompt &file_time
!/usr/bin/md5sum $ORACLE_HOME/bin/oracle $ORACLE_HOME/rdbms/lib/config.c $ORACLE_HOME/bin/orapwd
/u01/app/oracle/admin/orcl/xdb_wallet/cwallet.sso $ORACLE_HOME/network/admin/sqlnet.ora
$ORACLE_HOME/sqlplus/admin/glogin.sql > /home/oracle/bginteg/break-glass_integrity&file_time..log
!/bin/cat /u01/app/oracle/oradata/orcl/system01.dbf | strings | pcregrep -M -A 70 'package body
dbms_utility' | md5sum >> /home/oracle/bginteg/break-glass_integrity&file_time..log
spool /home/oracle/bginteg/break-glass_integrity&file_time..log append
select name from sys.user$;
select * from sys.dba_sys_privs where privilege in ('CREATE ANY DIRECTORY','CREATE ANY TRIGGER',
'CREATE ANY VIEW', 'EXECUTE ANY PROCEDURE','GRANT ANY OBJECT PRIVILEGE','BECOME USER');
select grantee from sys.dba_tab_privs where table_name in
('DBMS_JAVA','UTL_FILE','DBMS_SYS_SQL','DBMS_SCHEDULER','DBMS_JOB');
select * from sys.dba_role_privs;
SELECT AVG(dbms_utility.get_hash_value(text,1000000000,power(2,30))) FROM sys.DBA_SOURCE WHERE
OWNER='SYS';
SELECT AVG(dbms_utility.get_hash_value(text,1000000000,power(2,30))) FROM sys.DBA_SOURCE WHERE
OWNER='SYSTEM';
spool off
EXIT
